1. Home
  2. Software
  3. Empire

Empire

Empire is an open source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents are written in pure PowerShell for Windows and Python for Linux/macOS. Empire was one of five tools singled out by a joint report on public hacking tools being widely used by adversaries.[1][2][3]

ID: S0363
Associated Software: EmPyre, PowerShell Empire
Type: TOOL
Platforms: Linux, macOS, Windows
Version: 1.8
Created: 11 March 2019
Last Modified: 25 September 2024

Associated Software Descriptions

Name Description
EmPyre

[2]
PowerShell Empire

[2]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1047 Windows管理规范

Empire can use WMI to deliver a payload to a remote host.[2]

Enterprise T1557 .001 中间人攻击: LLMNR/NBT-NS Poisoning and SMB Relay

Empire can use Inveigh to conduct name service poisoning for credential theft and associated relay attacks.[2][4]
Enterprise T1546 .008 事件触发执行: Accessibility Features

Empire can leverage WMI debugging to remotely replace binaries like sethc.exe, Utilman.exe, and Magnify.exe with cmd.exe.[2]
Enterprise T1555 .003 从密码存储中获取凭证: Credentials from Web Browsers

Empire can use modules that extract passwords from common web browsers such as Firefox and Chrome.[2]
Enterprise T1550 .002 使用备用认证材料: Pass the Hash

Empire can perform pass the hash attacks.[2]
Enterprise T1543 .003 创建或修改系统进程: Windows Service

Empire can utilize built-in modules to modify service binaries and restore them to their original state.[2]
Enterprise T1136 .001 创建账户: Local Account

Empire has a module for creating a local user if permissions allow.[2]
.002 创建账户: Domain Account

Empire has a module for creating a new domain user if permissions allow.[2]
Enterprise T1115 剪贴板数据

Empire can harvest clipboard data on both Windows and macOS systems.[2]
Enterprise T1573 .002 加密通道: Asymmetric Cryptography

Empire can use TLS to encrypt its C2 channel.[2]
Enterprise T1574 .001 劫持执行流: DLL Search Order Hijacking

Empire contains modules that can discover and exploit various DLL hijacking opportunities.[2]
.004 劫持执行流: Dylib Hijacking

Empire has a dylib hijacker module that generates a malicious dylib given the path to a legitimate dylib of a vulnerable application.[2]
.007 劫持执行流: Path Interception by PATH Environment Variable

Empire contains modules that can discover and exploit path interception opportunities in the PATH environment variable.[2]
.008 劫持执行流: Path Interception by Search Order Hijacking

Empire contains modules that can discover and exploit search order hijacking vulnerabilities.[2]
.009 劫持执行流: Path Interception by Unquoted Path

Empire contains modules that can discover and exploit unquoted path vulnerabilities.[2]
Enterprise T1127 .001 可信开发者工具代理执行: MSBuild

Empire can use built-in modules to abuse trusted utilities like MSBuild.exe.[2]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

Empire can modify the registry run keys HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run for persistence.[2]
.005 启动或登录自动启动执行: Security Support Provider

Empire can enumerate Security Support Providers (SSPs) as well as utilize PowerSploit's Install-SSP and Invoke-Mimikatz to install malicious SSPs and log authentication events.[2]
.009 启动或登录自动启动执行: Shortcut Modification

Empire can persist by modifying a .LNK file to include a backdoor.[2]
Enterprise T1059 命令与脚本解释器

Empire uses a command-line interface to interact with systems.[2]
.001 PowerShell

Empire leverages PowerShell for the majority of its client-side agent tasks. Empire also contains the ability to conduct PowerShell remoting with the Invoke-PSRemoting module.[2][1]
.003 Windows Command Shell

Empire has modules for executing scripts.[2]
Enterprise T1482 域信任发现

Empire has modules for enumerating domain trusts.[2]
Enterprise T1484 .001 域或租户策略修改: Group Policy Modification

Empire can use New-GPOImmediateTask to modify a GPO that will install and execute a malicious Scheduled Task/Job.[2]
Enterprise T1113 屏幕捕获

Empire is capable of capturing screenshots on Windows and macOS systems.[2]
Enterprise T1071 .001 应用层协议: Web Protocols

Empire can conduct command and control over protocols like HTTP and HTTPS.[2]
Enterprise T1560 归档收集数据

Empire can ZIP directories on the target system.[2]
Enterprise T1003 .001 操作系统凭证转储: LSASS Memory

Empire contains an implementation of Mimikatz to gather credentials from memory.[2]
Enterprise T1083 文件和目录发现

Empire includes various modules for finding files of interest on hosts and network shares.[2]
Enterprise T1552 .001 未加密凭证: Credentials In Files

Empire can use various modules to search for files containing passwords.[2]
.004 未加密凭证: Private Keys

Empire can use modules like Invoke-SessionGopher to extract private key and session information.[2]
Enterprise T1106 本机API

Empire contains a variety of enumeration modules that have an option to use API calls to carry out tasks.[2]
Enterprise T1068 权限提升漏洞利用

Empire can exploit vulnerabilities such as MS16-032 and MS16-135.[2]
Enterprise T1217 浏览器信息发现

Empire has the ability to gather browser data such as bookmarks and visited sites.[2]
Enterprise T1027 .010 混淆文件或信息: Command Obfuscation

Empire has the ability to obfuscate commands using Invoke-Obfuscation.[2]
Enterprise T1548 .002 滥用权限提升控制机制: Bypass User Account Control

Empire includes various modules to attempt to bypass UAC for escalation of privileges.[2]
Enterprise T1114 .001 电子邮件收集: Local Email Collection

Empire has the ability to collect emails on a target system.[2]
Enterprise T1070 .006 移除指标: Timestomp

Empire can timestomp any files or payloads placed on a target machine to help them blend in.[2]
Enterprise T1558 .001 窃取或伪造Kerberos票据: Golden Ticket

Empire can leverage its implementation of Mimikatz to obtain and use golden tickets.[2]
.002 窃取或伪造Kerberos票据: Silver Ticket

Empire can leverage its implementation of Mimikatz to obtain and use silver tickets.[2]
.003 窃取或伪造Kerberos票据: Kerberoasting

Empire uses PowerSploit's Invoke-Kerberoast to request service tickets and return crackable ticket hashes.[2]
Enterprise T1082 系统信息发现

Empire can enumerate host system information like OS, architecture, domain name, applied patches, and more.[2][5]
Enterprise T1033 系统所有者/用户发现

Empire can enumerate the username on targeted hosts.[5]
Enterprise T1569 .002 系统服务: Service Execution

Empire can use PsExec to execute a payload on a remote host.[2]
Enterprise T1049 系统网络连接发现

Empire can enumerate the current network connections of a host.[2]
Enterprise T1016 系统网络配置发现

Empire can acquire network configuration information like DNS servers, public IP, and network proxies used by a host.[2][5]
Enterprise T1615 组策略发现

Empire includes various modules for enumerating Group Policy.[2]
Enterprise T1135 网络共享发现

Empire can find shared drives on the local system.[2]
Enterprise T1040 网络嗅探

Empire can be used to conduct packet captures on target hosts.[2]
Enterprise T1102 .002 网络服务: Bidirectional Communication

Empire can use Dropbox and GitHub for C2.[2]
Enterprise T1046 网络服务发现

Empire can perform port scans from an infected host.[2]
Enterprise T1119 自动化收集

Empire can automatically gather the username, domain name, machine name, and other information from a compromised system.[5]
Enterprise T1020 自动化渗出

Empire has the ability to automatically send collected data back to the threat actors' C2.[5]
Enterprise T1125 视频捕获

Empire can capture webcam data on Windows and macOS systems.[2]
Enterprise T1134 访问令牌操控

Empire can use PowerSploit's Invoke-TokenManipulation to manipulate access tokens.[2]
.002 Create Process with Token

Empire can use Invoke-RunAs to make tokens.[2]
.005 SID-History Injection

Empire can add a SID-History to a user if on a domain controller.[2]
Enterprise T1087 .001 账号发现: Local Account

Empire can acquire local and domain user account information.[2]
.002 账号发现: Domain Account

Empire can acquire local and domain user account information.[2][6]
Enterprise T1518 .001 软件发现: Security Software Discovery

Empire can enumerate antivirus software on the target.[2]
Enterprise T1105 输入工具传输

Empire can upload and download to and from a victim machine.[2]
Enterprise T1056 .001 输入捕获: Keylogging

Empire includes keylogging capabilities for Windows, Linux, and macOS systems.[2]
.004 输入捕获: Credential API Hooking

Empire contains some modules that leverage API hooking to carry out tasks, such as netripper.[2]
Enterprise T1057 进程发现

Empire can find information about processes running on local and remote systems.[2][5]
Enterprise T1055 进程注入

Empire contains multiple modules for injecting into processes, such as Invoke-PSInject.[2]
Enterprise T1021 .003 远程服务: Distributed Component Object Model

Empire can utilize Invoke-DCOM to leverage remote COM execution for lateral movement.[2]
.004 远程服务: SSH

Empire contains modules for executing commands over SSH as well as in-memory VNC agent injection.[2]
Enterprise T1210 远程服务漏洞利用

Empire has a limited number of built-in modules for exploiting remote SMB, JBoss, and Jenkins servers.[2]
Enterprise T1041 通过C2信道渗出

Empire can send data gathered from a target through the command and control channel.[2][5]
Enterprise T1567 .001 通过网络服务渗出: Exfiltration to Code Repository

Empire can use GitHub for data exfiltration.[2]
.002 通过网络服务渗出: Exfiltration to Cloud Storage

Empire can use Dropbox for data exfiltration.[2]
Enterprise T1053 .005 预定任务/作业: Scheduled Task

Empire has modules to interact with the Windows task scheduler.[2]

Groups That Use This Software

ID Name References
G0091 Silence

[7]
G0051 FIN10

[8]
G0010 Turla

[9][10]
G0090 WIRTE

[11]
G0034 Sandworm Team

Sandworm Team has used multiple publicly available tools during operations, such as Empire.[12]
G1040 Play

[13]
G0065 Leviathan

[14]
G1016 FIN13

[15]
G0073 APT19

[1]
G0119 Indrik Spider

[16]
G0052 CopyKittens

[17]
G1001 HEXANE

[6]
G0096 APT41

[18]
G0140 LazyScripter

[19]
G0069 MuddyWater

[20]
G0064 APT33

[21][22]
G0102 Wizard Spider

[23][24][25][26]

Campaigns

ID Name Description
C0001 Frankenstein

During Frankenstein the threat actors used Empire for discovery.[5]

References

  1. The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019.
  2. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  3. Stepanic, D. (2018, September 2). attck_empire: Generate ATT&CK Navigator layer file from PowerShell Empire agent logs. Retrieved March 11, 2019.
  4. Robertson, K. (2015, April 2). Inveigh: Windows PowerShell ADIDNS/LLMNR/mDNS/NBNS spoofer/man-in-the-middle tool. Retrieved March 11, 2019.
  5. Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.
  6. SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19
  7. Group-IB. (2019, August). Silence 2.0: Going Global. Retrieved May 5, 2020.
  8. FireEye iSIGHT Intelligence. (2017, June 16). FIN10: Anatomy of a Cyber Extortion Operation. Retrieved June 25, 2017.
  9. ESET. (2018, August). Turla Outlook Backdoor: Analysis of an unusual Turla backdoor. Retrieved March 11, 2019.
  10. Faou, M. (2020, December 2). Turla Crutch: Keeping the “back door” open. Retrieved December 4, 2020.
  11. S2 Grupo. (2019, April 2). WIRTE Group attacking the Middle East. Retrieved May 24, 2019.
  12. Roncone, G. et al. (n.d.). APT44: Unearthing Sandworm. Retrieved July 11, 2024.
  13. Trend Micro Research. (2023, July 21). Ransomware Spotlight: Play. Retrieved September 24, 2024.
  1. CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021.
  2. Sygnia Incident Response Team. (2022, January 5). TG2003: ELEPHANT BEETLE UNCOVERING AN ORGANIZED FINANCIAL-THEFT OPERATION. Retrieved February 9, 2023.
  3. Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021.
  4. ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.
  5. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.
  6. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021.
  7. Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020.
  8. Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019.
  9. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.
  10. John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.
  11. DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.
  12. Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.
  13. Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.